Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in choosing the best encryption method—field-level vs. transport-level or application-level encryption—and the integration points with Lambda functions. In production, this is about knowing exactly how to delegate encryption duties cleanly while controlling decryption access within just the right application components. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
Maple Technologies is developing a customer-facing web portal that processes sensitive personal information, distributed over 20-plus distinct data fields per user request. The system architecture uses an Amazon CloudFront distribution in front of several AWS Lambda functions to handle different processing steps. To comply with strict data privacy policies, the sensitive payload must be encrypted end-to-end; however, only certain Lambda functions should be authorized to decrypt parts of the data for business logic execution.
The Requirement: #
Identify a secure solution that ensures field-level encryption of sensitive data, limits decryption capabilities strictly to authorized Lambda functions, and integrates seamlessly with CloudFront.
The Options #
-
A) Associate the CloudFront distribution with a Lambda@Edge function. Configure this function to perform field-level asymmetric encryption using a user-defined RSA public key securely stored in AWS Key Management Service (KMS).
-
B) Integrate AWS WAF with CloudFront to protect sensitive data. Use a Lambda function combined with self-managed encryption keys outside AWS KMS to perform encryption and decryption.
-
C) Configure CloudFront to forward all viewer request headers to the origin using WebSockets. Create an asymmetric KMS key and enable CloudFront’s built-in field-level encryption feature that leverages the AWS KMS key.
-
D) Configure CloudFront’s cache behavior to enforce HTTPS between viewers and CloudFront. Require users to access content via signed URLs or signed cookies, relying on transport layer security and access control but not per-field encryption.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The Developer Imperative #
AWS DVA exam takers often mistake HTTPS transport security or traditional Lambda encryption code as sufficient for granular control. However, the key is leveraging CloudFront’s integrated field-level encryption combined with asymmetric KMS keys, enabling secure encryption in transit and at rest, with precise decryption rights only for authorized Lambda functions.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
CloudFront’s field-level encryption natively allows you to designate specific fields in the request body for encryption before forwarding data to the origin. By creating an asymmetric AWS KMS customer-managed key (CMK), you can use its public key to encrypt fields at CloudFront edge locations. This ensures data is encrypted before reaching your Lambda functions while allowing only authorized functions with decrypt permissions on the KMS key to access the plaintext. WebSocket forwarding is a way to make sure all headers are passed to the origin (your Lambda-backed origin or API), maintaining context if needed.
- This approach leverages AWS managed cryptographic primitives, reducing operational complexity.
- It provides fine-grained encryption tied to KMS policies, which enforce least privilege, restricting which Lambda functions can decrypt.
- Lambda@Edge functions (Option A) cannot directly call KMS or handle complex encryption reliably due to their execution environment constraints.
- Option B’s self-managed keys complicate key rotation and compliance.
- Option D only ensures encrypted transport and signed identity but does not encrypt sensitive fields individually.
The Trap (Distractor Analysis): #
- Why not A? Lambda@Edge functions have limited runtime and lack permissions and key management integration to securely perform asymmetric encryption with KMS. They mainly modify headers or simple transformations, not heavy cryptography.
- Why not B? AWS WAF protects against attacks but does not provide cryptographic encryption. Self-managed keys increase risk and operational overhead, violating best practices, especially for sensitive fields.
- Why not D? Transport-layer encryption and signed URLs/cookies protect data in motion and restrict access, but do not fulfill the requirement for field-level encryption and selective decryption capabilities.
The Technical Blueprint #
B) For Developer (Code/CLI Snippet): KMS Key Creation and Policy Sample #
# Create a KMS asymmetric key for encryption and decryption
aws kms create-key --description "Asymmetric key for CloudFront field-level encryption" --customer-master-key-spec RSA_2048
# Example key policy snippet granting decryption to specific Lambda functions' execution roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaDecrypt",
"Effect": "Allow",
"Principal": { "AWS": [
"arn:aws:iam::123456789012:role/LambdaFunctionRole1",
"arn:aws:iam::123456789012:role/LambdaFunctionRole2"
]},
"Action": ["kms:Decrypt"],
"Resource": "*"
}
]
}
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | High (Lambda@Edge + Crypto) | Not reliable or performant | Asymmetric encryption at edge, but limited by Lambda@Edge constraints |
| B | High (Self-managed KMS + WAF) | Medium (custom code overhead) | Manual encryption/decryption, high risk |
| C | Medium (KMS + CloudFront) | Optimized for latency and scale | Best for field-level encryption with least privilege |
| D | Low (HTTPS + Signed URLs) | High | Transport layer security only, not field level |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick CloudFront field-level encryption with KMS keys when you see a requirement for partial sensitive data encryption combined with Lambda integration.
Real World #
In production, you may also integrate AWS Secrets Manager or Parameter Store to manage encryption keys used by Lambdas for data-at-rest encryption beyond what CloudFront supports, depending on your sensitive data lifecycle.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.